Hacks Weekly #60 – PetitPotam Strikes Back: From (almost) Zero to Domain Admin

PetitPotam: How an NTLM relay attack can threaten Active Directory, Active Directory Certificate Services and your network  

PetitPotam is an advanced coercing attack and in combination with NTLM relay (NTLM redirection) attack it creates a serious threat to Active Directory (AD) infrastructures. By exploiting vulnerabilities in the EFS (Encrypted File System) RPC calls, PetitPotam can invoke NTLM authentication and you can intercept credentials, escalate privileges, and access vital network resources such as Active Directory Certificate Services (AD CS). The result? It gives hackers an opportunity to take control of an entire AD domain, which makes PetitPotam and default unsecure AD CS configuration a particularly dangerous combination.  

And yes, you’ve guessed it right – “petit potam” does mean a “little hippo” in French. Quite ironic, considering how much chaos it can create! 

Understanding PetitPotam 

Threats associated with the PetitPotam attack  

PetitPotam can be used for a range of attacks, including (but not limited to):   

NTLM relay in the context of PetitPotam 

What exactly is NTLM relay? It is intercepting NTLM authentication and redirecting it to another server. With PetitPotam, the attacker forces the Windows server to send NTLM authentication request to the malicious server, allowing it to perform NTLM relay attack to authenticate to AD CS Web Enrollment services and obtain certificates in context of attacked Windows server. Through these certificates, the attacker can gain control over the network by impersonating Domain Controller and then using DCSync. 

PetitPotam and Active Directory certificate services  

One of the main targets of the PetitPotam attack is Active Directory Domain Controllers in combination with Active Directory Certificate Services (AD CS) web enrollment service.  

When attackers start manipulating the authentication process, they can get their hands on certificates that allow them to access network resources as privileged users. Once they obtain certificates from AD CS, they’re on the right track to claim full administrative rights across the network. As you can see, it already sounds quite dangerous. And these are only some of the consequences that this attack can lead to. 

Prepare yourself well before PetitPotam strikes back! 

How to minimize the risk of PetitPotam and NTLM relay attacks? Here’s a list of essential steps that you should never skip:  

Staying safe against attacks 

As you can see, PetitPotam is quite a sophisticated attack. It takes advantages of vulnerabilities in the EFS and NTLM protocol and AD CS, leads to privilege escalation, and gives attackers a chance to take control of network infrastructure. 

To keep your systems safe from this threat, it’s necessary to disable NTLM, secure AD CS Web Enrollment service and keep an eagle eye on network activity – all to detect potential threats immediately. You also can’t forget about performing regular IT security updates within your systems. This way, you can prevent the entire network from being compromised. 

If you’d like to explore PetitPotam in even greater depth – there’s still an entire video with Mike waiting for you at the top of this page. Make sure to hit play and discover real-world tricks for safeguarding your infrastructure. 

You can also return to this article anytime to refresh your knowledge. 

If you have any comments or questions, feel free to shoot us a message. We’d love to hear from you!  That’s all for today, thank you for staying with us – and until the next one!